samba - Jan 2021 - Minimum footprint for authenticating CIFS shares with Kerberos

On 22/01/2021 19:15, Dorian Taylor (Lists) via samba
wrote:
> Good day,
>
> I have a home office network where, because of work, I already have:
>
> * an LDAP server
> * a Kerberos KDC/admin server
> * a DNS server
You do realise that they are the main components of AD.
>
> What I am after is a quasi-replacement for the AFS server I just removed
after ten years, i.e., I want to access files over a network, and I want to be
able to authenticate to that service using Kerberos.
>
> I followed some instructions to set Samba up as an Active Directory PDC
No such thing, there is an AD DC and an NT4-style PDC, but they are 
totally different things ?
> , but I didn?t realize, at the outset, that meant spinning up a bunch of
its own daemons that are fighting for the same ports a bunch of services are
already running on.
I take it you haven't read any AD documentation ?
>
> (For what it?s worth, the server is Ubuntu 20.04, which is curiously
missing a systemd service definition for the `samba` daemon.)
This is because you now use 'samba-ad-dc' to start the Samba AD DC and 
'smbd', 'nmbd' and 'winbind' to start the daemons for a
Unix domain member.
>
> I suppose my question is: To what extent I can configure Samba to provide
just enough material to, for instance, fool a Mac?s native CIFS client into
authenticating to a Samba share with Kerberos?
Easy, turn off your ldap server, KDC and DNS server, then start your AD 
DC with 'systemctl start samba-ad-dc', though you will probably have to 
unmask it first.

Rowland

> On Jan 22, 2021, at 11:56 AM, Rowland penny via samba <samba at
lists.samba.org> wrote:
> You do realise that they are the main components of AD.
I do! And they are working just fine and I would prefer not to get rid of them,
because they are already configured and I am using them for things.
> No such thing, there is an AD DC and an NT4-style PDC, but they are totally
different things ?
Thank you for apprising me of the correct terminology.
> I take it you haven't read any AD documentation ?
I?m awash in documentation. For the record it isn?t obvious from the outside
that Samba has to manage all of those services internally and not avail itself
of existing resources.
> This is because you now use 'samba-ad-dc' to start the Samba AD DC
and 'smbd', 'nmbd' and 'winbind' to start the daemons
for a Unix domain member.
Yeah, thanks, I found that shortly after sending.
> Easy, turn off your ldap server, KDC and DNS server, then start your AD DC
with 'systemctl start samba-ad-dc', though you will probably have to
unmask it first.
Perhaps the question I should have asked is ?how closely-coupled is using
Kerberos to authenticate to a Samba share to the whole AD ball of wax??, but it
looks like the answer is ?It?s all or nothing, baby.?

Regards,

--
Dorian Taylor
Make things. Make sense.
https://doriantaylor.com

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 874 bytes
Desc: Message signed with OpenPGP
URL:
<http://lists.samba.org/pipermail/samba/attachments/20210122/a4042849/signature.sig>